Evidence File Containers

Overview

Evidence file containers are
logical images that contain only selected files and preserve these
files with practically all their external metadata. They are used
either for acquisition as a substitute for a conventional
forensically sound image (in cases where only some files are needed
and a full sector-wise image would be overkill) or to share selected
files with other examiners, investigators, lawyers, prosecutors, the opposing
party etc. etc. Evidence file containers can be created by
X-Ways Forensics and
X-Ways
Investigator.
Comparison with skeleton images and cleansed images.

The information on this page is
about the new container format used by v16.3 and later. It is as
universal as it gets and can be understood by 3rd party forensic
tools with in-depth file system support out of the box or with
little additional effort.

Note

Containers are initially raw
images with a special file system (XWFS2). They can be converted to
.e01 evidence file format. However, that does not change any file
system data structures stored in the sectors and make the file system in the
image somehow "more compatible", as some users seem to expect.
Please understand that the file format of the outer image is separate
from the format of the data in the inner sectors (the file system).

Containers are designed to
preserve as much metadata of the included files as possible, see below.
Evidence file containers can even transport only the
external metadata of files, without the file contents, if that is desired
by the creator of the container, and
if so such files will be marked as "metadata only" and still show the original file size
(which is also external metadata) while file contents are not
available from the container. This concept is not known from ordinary
file systems, and some recipients of containers, who are not
familiar with X-Ways Forensics, apparently find it disturbing,
reporting back to us that when they copy a file with a size of > 0
off the container they get a copy of the file with a size of 0 bytes
= no data, as if that was an error, although the program told them
beforehand that only metadata is available.

Evidence file containers can even
transported only a selected range of data within a file (from offset
x to offset y), in which case the file in the
container will be marked as an excerpt. And the creator can choose
whether or not include the original path of a file in the container,
completely or partially, and then the parent directories can either
keep their own file system data or not (e.g. INDX buffers in NTFS)
if desired (e.g. not desirable if the creator does not wish to
reveal external metadata from other files that in the original
evidence object reside in the same directory to the recipient of the
container).

In short: As always, users of
X-Ways Forensics have the maximum amount of control over what data
they analyze and share, and the recipient of an evidence file
container should absolutely realize that the whole point of such a
container is to encapsulate a selected subset of the
original data.